Ransom:Win32/Petya.A-joey

Aliases :

Explanation :

Installation

This threat may be installed by malicious documents and distributed through email and uses exploits to distribute.

You might see the following email:

Payload

Encrypts Master Boot Record (MBR)

If the malware is executed with ‘SeShutdownPrivilege' or ‘SeDebugPrivilege' or ‘SeTcbPrivilege' privilege, then it will overwrite the MBR of the victim's machine. It directly access the drive0 ‘\\\\.\\PhysicalDrive0' using DeviceIoControl() APIs.

Encrypts files

This malware encrypts fixed drives using AES-128 and RSA-2048 and encrypts the following file extensions:

If the file C:\Windows\perfc.dat exists in %SystemRoot% , it stops the Windows Management Instrumentation Command-line (WMCI) and PsExec component from running. The EternalBlue exploit will still be executed. Machines that are patched will not be vulnerable to the exploit.